popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

loader.ps1

Generic Malware Antivirus
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us April 23, 2024, 11:05 a.m. April 23, 2024, 11:08 a.m.
Size 442.3KB
Type ASCII text, with very long lines, with no line terminators
MD5 bc9216dd4399300c9b789251456df0ce
SHA256 a980bbfc10dc5f8a7c61e0f343bd4c194c755b9e514c2bd8f50e8f60381ecfeb
CRC32 A69BF397
ssdeep 6144:NSg6lMvf4heu8iFtEUkrEl7AaxQWYZybOCLlELF90LduTXr4pxbjLrk9ww9uj6Xe:NtHkeZ6EU86n1QybOGIF9udurEk62lwL
Yara None matched

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024cb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024df000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1000
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1000
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef30000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05490000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Skyhigh BehavesLike.PS.Dropper.gg
ALYac Generic.PwShell.Rozena.1.9D6ABCF0
VIPRE Generic.PwShell.Rozena.1.9D6ABCF0
Sangfor Trojan.Generic-PS.Save.07a1149b
Arcabit Generic.PwShell.Rozena.1.9D6ABCF0
Symantec ISB.Downloader!gen173
ESET-NOD32 PowerShell/Kryptik.EJ
Kaspersky HEUR:Trojan.Script.Generic
BitDefender Generic.PwShell.Rozena.1.9D6ABCF0
MicroWorld-eScan Generic.PwShell.Rozena.1.9D6ABCF0
Rising Trojan.Injector/PS!1.D1D5 (CLASSIC)
Emsisoft Generic.PwShell.Rozena.1.9D6ABCF0 (B)
FireEye Generic.PwShell.Rozena.1.9D6ABCF0
Ikarus Trojan.PS.Agent
Google Detected
Microsoft Trojan:Script/Wacatac.B!ml
ZoneAlarm HEUR:Trojan.Script.Generic
GData Generic.PwShell.Rozena.1.9D6ABCF0
Varist PSH/Inject.A.gen!Camelot
Tencent Trojan.PowerShell.Obfuscated.11027659
MAX malware (ai score=82)